Cryptocurrency Owners - Where Do You Keep Your Seed?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
wmvink
Posts: 101
Joined: Sat Apr 13, 2013 12:44 am

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by wmvink »

Gadget wrote: Fri Apr 30, 2021 3:13 pm
waltman300 wrote: Fri Apr 30, 2021 1:48 pm Also thing i want to ask related to this. Someone mentioned this as well. But how do you make sure your crypto is passed on to your family if something happens to you?
The only argument against using a password manager I heard is keyloggers. So basically, you need to enter your seed phrase onto your password manager one time from a clean PC that has no keylogger. If you are paranoid enough, buy a Chromebook, do a factory wipe, and install only the password manager before entering the seed phrase. After that, you shouldn't need to get your seed phrase again unless your hardware wallet or software wallet dies and you need to recover it.
And this too is not 100% secure.

Back in November/December/January, a lot of people's wallets got emptied because they downloaded a fake version of Metamask. The hackers were somehow able to get their fake extension very high in the search rankings. Users who installed this version of Metamask and created a new wallet were simply forwarded to the real Metamask extension. But those who installed it to recover/access an existing wallet had their seed phrase sent to the hackers the minute they typed it.

Technically you could argue it's still a keylogger and that's true, but it's mighly sophisticated and fooled a lot of experienced users. Just do a Google search for 'Metamask hack'.........
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by Gadget »

wmvink wrote: Fri Apr 30, 2021 4:46 pm
Gadget wrote: Fri Apr 30, 2021 3:13 pm
waltman300 wrote: Fri Apr 30, 2021 1:48 pm Also thing i want to ask related to this. Someone mentioned this as well. But how do you make sure your crypto is passed on to your family if something happens to you?
The only argument against using a password manager I heard is keyloggers. So basically, you need to enter your seed phrase onto your password manager one time from a clean PC that has no keylogger. If you are paranoid enough, buy a Chromebook, do a factory wipe, and install only the password manager before entering the seed phrase. After that, you shouldn't need to get your seed phrase again unless your hardware wallet or software wallet dies and you need to recover it.
And this too is not 100% secure.

Back in November/December/January, a lot of people's wallets got emptied because they downloaded a fake version of Metamask. The hackers were somehow able to get their fake extension very high in the search rankings. Users who installed this version of Metamask and created a new wallet were simply forwarded to the real Metamask extension. But those who installed it to recover/access an existing wallet had their seed phrase sent to the hackers the minute they typed it.

Technically you could argue it's still a keylogger and that's true, but it's mighly sophisticated and fooled a lot of experienced users. Just do a Google search for 'Metamask hack'.........
Seems like an unfair comparison though. How does any method protect against this? If you get phished for your seed phrase, it's gone. No matter what security you used to store it. Doesn't matter if your seed phrase was in a password manager, or engraved on steel buried in a vault. If you type it into a phishing scam, it's gone.

The caveat to that is my other suggestion though. Your seed phrase can be a wallet with a little crypto in it. If you use a passphrase on your main wallet, then the attacker would need both your seed phrase and your passphrase. The key that someone had your seed phrase would be when your main wallet balance gets wiped out. That'd be the notice that you should move your passphrase protected wallet to a new seedphrase.
wmvink
Posts: 101
Joined: Sat Apr 13, 2013 12:44 am

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by wmvink »

Gadget wrote: Fri Apr 30, 2021 4:55 pm Seems like an unfair comparison though. How does any method protect against this? If you get phished for your seed phrase, it's gone. No matter what security you used to store it. Doesn't matter if your seed phrase was in a password manager, or engraved on steel buried in a vault. If you type it into a phishing scam, it's gone.
Correct. And so this is the core issue with the security of crypto wallets: it's 1FA, not 2FA. 2FA could guard against an attack like this.

It's why I believe that for the vast majority of users, a custodian like Coinbase or BlockFi is more secure than DIY. There are some non-custodial solutions on the market (search 'multisig') and there is Argent and Zengo for non-Enterprise usage.
Gadget wrote: Fri Apr 30, 2021 4:55 pm
The caveat to that is my other suggestion though. Your seed phrase can be a wallet with a little crypto in it. If you use a passphrase on your main wallet, then the attacker would need both your seed phrase and your passphrase. The key that someone had your seed phrase would be when your main wallet balance gets wiped out. That'd be the notice that you should move your passphrase protected wallet to a new seedphrase.
I'm not sure I follow. What's the difference between a seed phrase and a passphrase?
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by Gadget »

wmvink wrote: Fri Apr 30, 2021 5:03 pm
Gadget wrote: Fri Apr 30, 2021 4:55 pm Seems like an unfair comparison though. How does any method protect against this? If you get phished for your seed phrase, it's gone. No matter what security you used to store it. Doesn't matter if your seed phrase was in a password manager, or engraved on steel buried in a vault. If you type it into a phishing scam, it's gone.
Correct. And so this is the core issue with the security of crypto wallets: it's 1FA, not 2FA. 2FA could guard against an attack like this.

It's why I believe that for the vast majority of users, a custodian like Coinbase or BlockFi is more secure than DIY. There are some non-custodial solutions on the market (search 'multisig') and there is Argent and Zengo for non-Enterprise usage.
Gadget wrote: Fri Apr 30, 2021 4:55 pm
The caveat to that is my other suggestion though. Your seed phrase can be a wallet with a little crypto in it. If you use a passphrase on your main wallet, then the attacker would need both your seed phrase and your passphrase. The key that someone had your seed phrase would be when your main wallet balance gets wiped out. That'd be the notice that you should move your passphrase protected wallet to a new seedphrase.
I'm not sure I follow. What's the difference between a seed phrase and a passphrase?
I agree for a non tech person, something like Coinbase or BlockFi might be more secure than DIY.

However, a passphrase on a wallet is like a 2nd factor. It unlocks a "hidden" wallet that can only be accessed with a both a seed phrase and a passphrase. If the passphrase is something only you know, then losing your seed phrase wouldn't matter. And if you keep a token amount of crypto on your main seed phrase wallet, you'll know when that seed phrase is compromised and you can move your passphrase protected funds elsewhere.
https://wiki.trezor.io/Passphrase
wmvink
Posts: 101
Joined: Sat Apr 13, 2013 12:44 am

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by wmvink »

Gadget wrote: Fri Apr 30, 2021 5:16 pm
I agree for a non tech person, something like Coinbase or BlockFi might be more secure than DIY.

However, a passphrase on a wallet is like a 2nd factor. It unlocks a "hidden" wallet that can only be accessed with a both a seed phrase and a passphrase. If the passphrase is something only you know, then losing your seed phrase wouldn't matter. And if you keep a token amount of crypto on your main seed phrase wallet, you'll know when that seed phrase is compromised and you can move your passphrase protected funds elsewhere.
https://wiki.trezor.io/Passphrase
Ah great, I had no idea. Thank you. It seems that feature is specific to Trezor hardware wallets. There is one thing about this feature that gives me pause and that is the following:
If you forget your passphrase, your wallet is lost for good. There is no way to recover the funds.
In my case, I don't trust myself to not lose a passphrase, seed phrase or whatever the name is. But for a lot of other people I agree it may be safer to have something on a piece of paper.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by Gadget »

wmvink wrote: Fri Apr 30, 2021 5:31 pm
Gadget wrote: Fri Apr 30, 2021 5:16 pm
I agree for a non tech person, something like Coinbase or BlockFi might be more secure than DIY.

However, a passphrase on a wallet is like a 2nd factor. It unlocks a "hidden" wallet that can only be accessed with a both a seed phrase and a passphrase. If the passphrase is something only you know, then losing your seed phrase wouldn't matter. And if you keep a token amount of crypto on your main seed phrase wallet, you'll know when that seed phrase is compromised and you can move your passphrase protected funds elsewhere.
https://wiki.trezor.io/Passphrase
Ah great, I had no idea. Thank you. It seems that feature is specific to Trezor hardware wallets. There is one thing about this feature that gives me pause and that is the following:
If you forget your passphrase, your wallet is lost for good. There is no way to recover the funds.
In my case, I don't trust myself to not lose a passphrase, seed phrase or whatever the name is. But for a lot of other people I agree it may be safer to have something on a piece of paper.
Ledger supports passphrases too. I think different wallets just brand the term differently. Secret phrase, passphrase, etc.
https://support.ledger.com/hc/en-us/art ... e-security

Also, I don't do this, but your passphrase could be the same as your password manager password since you obviously have to remember that one. Or it could just be your name. It doesn't really need to be complicated, because only you would even know that you had a passphrase for your seed phrase. That 2nd factor wouldn't be written down anywhere. If you have crypto funds on your main seed phrase wallet, and someone steals that, I highly doubt they're going to go to the trouble of brute force attacking all possible combinations of passphrases to your seed phrase to see if you have hidden funds somewhere else. Even a passphrase that was one character would be more secure than no passphrase at all.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by ThankYouJack »

Gadget wrote: Fri Apr 30, 2021 3:52 pm
ThankYouJack wrote: Fri Apr 30, 2021 3:38 pm The thing I wouldn’t like about using a password manager for my seed is a $5 wrench attack. Not a big deal if you don’t own a lot of crypto, but say I have $1M in crypto. No way I would want my full seed accessible on my phone.
How does the guy with the wrench know? What is he searching for? You don't have to label the seed phrase in your manager as seed phrase or crypto...

If you have a million in crypto, you can make a standard wallet with seed phrase and a hidden wallet with your seed phrase + a passphrase. Trezor makes this easy. Basically, you have a token amount on your standard wallet with seed phrase for the bad guy to steal. But only you know the passphrase to access your main wallet with that seed phrase. The bad guy wouldn't even know you had a second account with that seedphrase that uses a passphrase unless you told him. You can have as many alternate accounts using a single seed phrase as you can remember passphrases for.
The guy with the wrench beats it out of you. First they have you unlock your phone. Then they notice your password manager app and have you unlock that. Then they comb through that. If you google "$5 wrench attack crypto" examples will come up where it has happened. Sure one can additional layers to the seed and passphrases, but that increases the chances of human error / forgetting and losing it forever.

Unfortunately, I don't have to worry about this problem as I don't have $1M in crypto, but I think there's good reasons Ledger states:

https://www.ledger.com/blog/how-to-prot ... eed-phrase
You should never store your seed phrase on any application or device that is connected to the internet. Storing them offline is the safest option.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by ThankYouJack »

Gadget wrote: Wed Apr 28, 2021 3:43 pm
Password managers are ideally suited for this task in my opinion. At least reputable ones like 1Password, Bitwarden, etc are.
Trezor also states:

https://blog.trezor.io/https-blog-trezo ... cc105457a0
The number one don’t that we can warn you against is this: Never store your recovery seed in any digital form.

....

Don’t store it in any password manager.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by Gadget »

ThankYouJack wrote: Fri Apr 30, 2021 7:03 pm
Gadget wrote: Wed Apr 28, 2021 3:43 pm
Password managers are ideally suited for this task in my opinion. At least reputable ones like 1Password, Bitwarden, etc are.
Trezor also states:

https://blog.trezor.io/https-blog-trezo ... cc105457a0
The number one don’t that we can warn you against is this: Never store your recovery seed in any digital form.

....

Don’t store it in any password manager.
I mean, Trezor says that because they don't want people to sue them for their Trezor being hacked. They want people to think that if their seed phrase ever touched the cloud, it was the user's fault and not Trezors. It's the same as a bank saying you can't save your password in a password manager or use it on an aggregation website.

I've already said that the crypto community is strongly against storing them in a password manager, so you won't have to dig hard to find links to support that. I just haven't found any compelling actual reasons that compare the likelyhood of different risks and attack vectors. I make the claim that there are more risks and attack vectors to your seed phrase being backed up in a physical location.
gobsmacked
Posts: 22
Joined: Tue Sep 29, 2020 10:57 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by gobsmacked »

One of the core aspects of what I do is computer security. For large amounts of crypto you want cold storage. Separate out your holdings to hot and cold wallets. 90 percent in cold storage. To do cold storage easily use a yubikey. Back up the key on a physical piece of paper and store at bank along with the key in a digital password manager like KeePass on a USB stick. Destroy any other evidence of key and use the yubikey as main access.

Your main vectors of attack are phishing and Trojan horses. Yubikey stops a lot of attacks because you need to physically tap the usb key.
wmvink
Posts: 101
Joined: Sat Apr 13, 2013 12:44 am

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by wmvink »

gobsmacked wrote: Sat May 01, 2021 10:07 am One of the core aspects of what I do is computer security. For large amounts of crypto you want cold storage. Separate out your holdings to hot and cold wallets. 90 percent in cold storage. To do cold storage easily use a yubikey. Back up the key on a physical piece of paper and store at bank along with the key in a digital password manager like KeePass on a USB stick. Destroy any other evidence of key and use the yubikey as main access.

Your main vectors of attack are phishing and Trojan horses. Yubikey stops a lot of attacks because you need to physically tap the usb key.
What if the Yubikey fails?

I know it's not common at all, but it's not impossible either. Over the years I've had 2 keychain yubikeys fail on me. I know that's just anecdotal and probably not representative for Yubikeys in general, but to me it does proof they're not 100% guaranteed to still work in the future.
gobsmacked
Posts: 22
Joined: Tue Sep 29, 2020 10:57 pm

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by gobsmacked »

What if the Yubikey fails?
The way I describe has you simply using the yubikey as just a secret storing device that can only output the secret on a physical touch.
To protect against failure you duplicate the secret but store is safely in a hard to get to place. If the yubikey ever fails or you lose it you will have to retrieve the secret from your bank's safety deposit box.

There may be some crypto wallets that support FIDO2 though I am not sure. Even if there were I'd really think about the 3rd party risk and see if it fits your risk profile. You can also buy multiple yubikeys and store the same secret in each. This is not the ideal use case of the yubikey though. I think the ideal use can is for FIDO2 sites.
lillycat
Posts: 260
Joined: Mon Aug 10, 2020 11:26 am

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by lillycat »

Love these clever ideas! Please keep them coming.
wmvink
Posts: 101
Joined: Sat Apr 13, 2013 12:44 am

Re: Cryptocurrency Owners - Where Do You Keep Your Seed?

Post by wmvink »

I've done a bit more research into non-custodial solutions that don't require a seed phrase (which I'm sure I'll lose eventually) or piece of hardware (which I'm sure I'll lose eventually) and in addition to Argent and Zengo which were mentioned earlier there's also Dharma and Gnosis Safe - both of which I have zero experience with. But thought I'd point out these solutions do exist.
Post Reply